The Blog

During an Active Directory domain controller upgrade from Windows 2003 to Windows 2012 R2 I observed replication issues on the Domain Controller which also owned the PDC emulator role.

A problem logging onto the domain controller is what initially triggered the investigation into potential issues. It is always a good idea to ensure replication and event logs are healthy before performing Active Directory changes and upgrades for situations like this.

You can see DC-01 and DC-02 are fine but DC-03 has replication errors and shows the error message"The target principal name is incorrect."

Resetting the domain controllers computer account using the following steps resolved the replication issues.

Fixing the Issue

Step 1

Identify the DC which owns the PDC role:

netdom query fsmo

Step 2

On the domain controller, disable the Kerberos Key Distribution Center service (KDC).

Click Start, point to Programs, click Administrative Tools, and then click Services.
Double-click KDC, set the startup type to Disabled, and then restart the computer.
(Restarting is required or else you will get an error on the next step)

Step 3

Login to the DC again and run the following command to reset the computer account.

netdom resetpwd /server:server_name /userd:domain_name\administrator /passwordd:administrator_password
(This can not be done in Active Directory Users and Computers for Domain Controllers.)

Step 4

Set the KDC service to "Automatic" again and restart the server again.

8 Comments

Looks like I’m having the same issue you discussing here. Hoping you can clarify a couple of things for me. For me, the domain controller that’s having the “The target principal name is incorrect” is also the DC with the PDC role. Do I do steps 2 and 3 on the problematic DC with the PDC role or do I run those steps on a working DC? I’m having having active directory replication issues.

You should run all of these steps on the PDC. Correction, run the password reset command from another domain controller other than the PDC. It’s possible it may work either way though. Let me know how it goes and good luck!

thanks! I found Microsoft KB288167 that said not to run it on the PDC, so I decided to run the commands on another DC, and everything is working great now. Your article definitely helped. thanks again.

btw, during my google search for answers to this problem, I found something very interesting on another site. If you email me, I can discuss it privately.

While I think this is going to work fine, I still have 2 questions for you Neil:
– When I disable the KDC (from the PDC) I will run the command on step 3, if I do this, will the AD users be able to authenticate again to re-enable the KDC? I as this as I do not have the local Administrator account for the computer, the only Admin access I have is for the AD.
– I have 2 DC’s DC-A and DC-C. DC-A is my PDC, so I will disable the KDC on DC-A and run the command on step 3 FROM the other DC (DC-C). I will then re-log back in to DC-A and turn on the KDC.